Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUGs found #5

Open
LeoneChen opened this issue Jun 28, 2023 · 0 comments
Open

BUGs found #5

LeoneChen opened this issue Jun 28, 2023 · 0 comments

Comments

@LeoneChen
Copy link

LeoneChen commented Jun 28, 2023
edited
Loading

Stack overflow

buf is only 256 size, but vsnprintf can write up to BUFSIZ, cause stack overflow

BiORAM-SGX/Enclave/Enclave.cpp

Lines 104 to 113 in 6e8df40

int printf(const char* fmt, ...)
{
char buf[256] = { '\0' };
va_list ap;
va_start(ap, fmt);
vsnprintf(buf, BUFSIZ, fmt, ap);
va_end(ap);
ocall_print_string(buf);
return (int)strnlen(buf, BUFSIZ - 1) + 1;
}

Null Pointer Dereference

Although ptr is in, when it is null, TBridge will pass it to real ecall

BiORAM-SGX/Enclave/Enclave.edl

Line 33 in 6e8df40

public void cp_source([in, size=len]void *ptr, size_t len);

1687926479185

But in cp_source, not check ptr is not null

BiORAM-SGX/Enclave/Enclave.cpp

Lines 1052 to 1056 in 6e8df40

void cp_source(void *ptr, size_t len)
{
std::string sc = (const char*)ptr;
printf("%s", sc.c_str());
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@LeoneChen